DOCSLIB.ORG

The Ray Attack on RSA Cryptosystems’, in R

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
The Ray Attack on RSA Cryptosystems’, in R The ray attack, an inefficient trial to break RSA cryptosystems∗ Andreas de Vries† FH S¨udwestfalen University of Applied Sciences, Haldener Straße 182, D-58095 Hagen Abstract The basic properties of RSA cryptosystems and some classical attacks on them are described. Derived from geometric properties of the Euler functions, the Euler function rays, a new ansatz to attack RSA cryptosystemsis presented. A resulting, albeit inefficient, algorithm is given. It essentially consists of a loop with starting value determined by the Euler function ray and with step width given by a function ωe(n) being a multiple of the order ordn(e), where e denotes the public key exponent and n the RSA modulus. For n = pq and an estimate r < √pq for the smaller prime factor p, the running time is given by T (e,n,r)= O((r p)lnelnnlnr). − Contents 1 Introduction 1 2 RSA cryptosystem 2 2.1 Properties of an RSA key system . ... 4 2.2 ClassicalRSAattacks. 5 3 The Euler function ray attack 7 3.1 The ω-function and the order of a number modulo n ............... 7 3.2 Properties of composed numbers n = pq ..................... 10 3.3 Thealgorithm................................... 13 arXiv:cs/0307029v1 [cs.CR] 11 Jul 2003 4 Discussion 15 A Appendix 15 A.1 Euler’sTheorem.................................. 15 A.2 The Carmichael function and Carmichael’s Theorem . ......... 16 1 Introduction Since the revolutionary idea of asymmetric cryptosystems was born in the 1970’s, due to Diffie and Hellman [4] and Rivest, Shamir and Adleman [9], public key technology became an in- dispensable part of contemporary electronically based communication. Its applications range ∗This paper is a slight modification of [10] †e-Mail: [email protected] 1 from authentication to digital signatures and are widely considered to be an essential of future applications for e-commerce. The most popular cryptosystem is RSA. There has been numerous, more or less unsuc- cessful, attacks on RSA. The strongness of RSA bases on the difficulty to factorize integers as well as to compute the discrete logarithm. For more details, see e.g. [1, 2, 3, 6]; cf. also http://www.math-it.org 2 RSA cryptosystem The RSA cryptosystem, named after its inventors Ron Rivest, Adi Shamir, and Len Adleman (1978), was the first public key cryptosystem and is still the most important one. It is based on the dramatic difference between the ease of finding large prime numbers and computing modular powers on the one hand, and the difficulty of factorizing a product of large prime numbers as well as inverting the modular exponentiation. Generally, in a public key system, each participant has both a public key and a private key, which is held secret. Each key is a piece of information. In the RSA cryptosystem, each key consists of a group of integers. The participants are traditionally called Alice and Bob, and we denote their public and secret keys as PA, SA for Alice and PB, SB for Bob. All participants create their own pair of public and private keys. Each keeps his private key secret, but can reveal his public key to anyone or can even publish it. It is very convenient that everyone’s public key is available in a public directory, so that any participant can easily obtain the public key of any other participant, just like we nowadays can get anyones phone number from a public phone book. In the RSA cryptosystem, each participant creates his public and private keys with the fol- lowing procedure. 1. Select at random two large prime numbers p and q, p = q. (The primes might be more 6 than 200 digits each, i.e. more than 660 bits.) 2. Compute n = pq and the Carmichael function λ(n)= lcm(p 1,q 1). − − 3. Select an integer d relatively prime to λ(n). (d should be of the magnitude of n, i.e., d / λ(n).) 4. Compute e as the multiplicative inverse of d modulo λ(n), such that ed = 1 mod λ(n). This is done efficiently by the extended Euclidean algorithm. 5. Publish the pair P = (e,n) as the public key. 6. Keep secret the pair S = (d,n) as the private or secret key. For this procedure, the domain of the messages is Zn. For each participant of a cryptosystem, the four-tuple (e,d, p,q) N4 is called (individual) RSA key system. The key parameter e is also called the encryption∈ exponent, d the decryption exponent, and n the RSA modulus. The encryption of a message m Zn associated with a public key P = (e,n) is performed ∈ by the function E : Zn Zn, → E(m)= me mod n. (1) 2 The decryption of a ciphertext c Zn associated with the private key S = (d,n) is done by the ∈ mapping D : Zn Zn, → D(c)= cd mod n. (2) The procedure where Alice sends an encrypted message to Bob is schematically shown in Figure 1. A qualitatively new possibility offered by public key systems (and being unimple- Figure 1: Alice sends an encrypted message m to Bob, using his public RSA key PB. mentable with symmetric key systems) is the procedure of digital signature. How an RSA cryptosystem enables Alice to digitally sign a message and how Bob can verify that it is signed by Alice is sketched in Figure 2. As a matter of course, this verification in fact is possible only if the authenticity of Alice’s public key PA is guaranteed such that Bob can assume that it is her key (and not a third person’s one) which he uses. This guarantee is the job of so-called trust centers. Figure 2: Alice sends a digitally signed message to Bob; Bob uses Alice’s public key to decrypt the message and to verify this way that Alice has signed it with her private key. The correctness of RSA, i.e., the fact that E and D define inverse functions on Zn (D E = ◦ E D = idZ ) relies on the simple fact that ◦ n ed m = m mod n for m Zn, (3) ∈ which is immediately proved by the corollary of Carmichael A.7, p. 18. For details see, e.g., [1, 2, 3]. 3 Remark 2.1 Often one finds the definition of RSA cryptosystems based on the Euler function ϕ rather than on the Carmichael function λ, cf. [3]. However, since ϕ(pq) = (p 1)(q 1), − − both function values ϕ(pq) and λ(pq) share the same divisors. Therefore, a possible key parameter d relatively prime to λ(pq) is also relatively prime to ϕ(pq), and vice versa. Only the resulting counter key e may differ. To be more precise, any possible RSA key pair of a system based on the Euler function is a possible key pair with respect to the Carmichael function, whereas the reverse is not generally true. (Proof: Since λ(n) ϕ(n), the equality | ed = 1 mod ϕ(n) implies ed = 1 mod λ(n).) Using the Euler function ϕ, the correctness of RSA is shown with the Euler theorem A.2 on p. 16, instead of the corollary of Carmichael. 2.1 Properties of an RSA key system Theorem 2.2 Let p, q N be two primes, p,q > 1, p = q. Then the number νpq of all possible ∈ 6 key pairs (P,S) = ((e, pq),(d, pq)) is given by νpq = ϕ(λ(pq)). (4) The (trivial) keys with e = d = 1 and with e = d = λ(pq) 1 are always possible, and − (p 1)(q 1) 2 < ν < − − . (5) pq gcd (p 1,q 1) − − Proof. Since ed = 1 mod λ(pq), without restriction to generality we have 0 < e,d < λ(pq). Moreover, gcd(d,λ(pq)) = gcd(e,λ(pq)) = 1, because for an arbitrary integer a with gcd(a, λ N λ Z (pq)) > 1 there exists no b such that ab = 1 mod (pq). Therefore, e,d λ∗ (pq). In Z ∈ λ ∈ Z turn, to any a λ∗ (pq) there exists an integer b such that ab = 1 mod (pq), since λ∗ (pq) is a ∈ Z ϕ λ group. But the order of λ∗ (pq) is exactly ( (pq)). It is clear that 1 1 = 1 mod λ(n), so e = d = 1 are always possible as key parameters. · If e = d = λ(pq) 1, we have ed = λ 2(pq) 2λ(pq) + 1 = 1 mod λ(pq), so e and d are − − always possible, too. By (47), λ(pq) is even and (by pq ≧ 6) greater than 2, so νpq > 2. The maximum number of elements on the other hand is λ(pq) 1. − The plot of all possible RSA key parameters (e,d) reveals general symmetries in the (e,d)- plane. First we observe that if P = (e,n), S = (d,n) is a possible RSA key pair, then trivially also P′ = (d,n), S′ = (e,n) is possible, because ed = de = 1 mod λ(n). Furthermore, if ed = 1 mod λ(n) and 0 < e,d < λ(n)/2, then e′ = λ(n) e, d′ = λ(n) d (6) − − satisfy λ(n)/2 < e′,d′ < λ(n) as well as 2 e′d′ = λ (n) λ(n)(e + d)+ ed = ed mod λ(n). − Therefore, P′ = (e′,n) and S′ = (d′,n) are possible RSA keys, too. To sum up, all possible RSA key parameters (e,d), plotted in the square lattice [0,λ(n) − 1]2 N2 with edges ranging from 0 to λ(n) 1, form a pattern which is symmetric to both the principal⊂ and the secondary square diagonals,− see Figure 3.
Load more

Recommended publications
  • Idempotent Factorizations of Square-Free Integers
    information Article Idempotent Factorizations of Square-Free Integers Barry Fagin Department of Computer Science, US Air Force Academy, Colorado Springs, CO 80840, USA; [email protected]; Tel.: +1-719-333-7377 Received: 20 June 2019; Accepted: 3 July 2019; Published: 6 July 2019 Abstract: We explore the class of positive integers n that admit idempotent factorizations n = p¯q¯ such that l(n)¶(p¯ − 1)(q¯ − 1), where l is the Carmichael lambda function. Idempotent factorizations with p¯ and q¯ prime have received the most attention due to their cryptographic advantages, but there are an infinite number of n with idempotent factorizations containing composite p¯ and/or q¯. Idempotent factorizations are exactly those p¯ and q¯ that generate correctly functioning keys in the Rivest–Shamir–Adleman (RSA) 2-prime protocol with n as the modulus. While the resulting p¯ and q¯ have no cryptographic utility and therefore should never be employed in that capacity, idempotent factorizations warrant study in their own right as they live at the intersection of multiple hard problems in computer science and number theory. We present some analytical results here. We also demonstrate the existence of maximally idempotent integers, those n for which all bipartite factorizations are idempotent. We show how to construct them, and present preliminary results on their distribution. Keywords: cryptography; abstract algebra; Rivest–Shamir–Adleman (RSA); computer science education; cryptography education; number theory; factorization MSC: [2010] 11Axx 11T71 1. Introduction Certain square-free positive integers n can be factored into two numbers (p¯, q¯) such that l(n)¶ (p¯ − 1)(q¯ − 1), where l is the Carmichael lambda function.
    [Show full text]
  • Composite Numbers That Give Valid RSA Key Pairs for Any Coprime P
    information Article Composite Numbers That Give Valid RSA Key Pairs for Any Coprime p Barry Fagin ID Department of Computer Science, US Air Force Academy, Colorado Springs, CO 80840, USA; [email protected]; Tel.: +1-719-339-4514 Received: 13 August 2018; Accepted: 25 August 2018; Published: 28 August 2018 Abstract: RSA key pairs are normally generated from two large primes p and q. We consider what happens if they are generated from two integers s and r, where r is prime, but unbeknownst to the user, s is not. Under most circumstances, the correctness of encryption and decryption depends on the choice of the public and private exponents e and d. In some cases, specific (s, r) pairs can be found for which encryption and decryption will be correct for any (e, d) exponent pair. Certain s exist, however, for which encryption and decryption are correct for any odd prime r - s. We give necessary and sufficient conditions for s with this property. Keywords: cryptography; abstract algebra; RSA; computer science education; cryptography education MSC: [2010] 11Axx 11T71 1. Notation and Background Consider the RSA public-key cryptosystem and its operations of encryption and decryption [1]. Let (p, q) be primes, n = p ∗ q, f(n) = (p − 1)(q − 1) denote Euler’s totient function and (e, d) the ∗ Z encryption/decryption exponent pair chosen such that ed ≡ 1. Let n = Un be the group of units f(n) Z mod n, and let a 2 Un. Encryption and decryption operations are given by: (ae)d ≡ (aed) ≡ (a1) ≡ a mod n We consider the case of RSA encryption and decryption where at least one of (p, q) is a composite number s.
    [Show full text]
  • Arithmetic Properties of Φ(N)/Λ(N) and the Structure of the Multiplicative Group Modulo N
    View metadata, citation and similar papers at core.ac.uk brought to you by CORE provided by University of Missouri: MOspace Arithmetic Properties of '(n)/λ(n) and the Structure of the Multiplicative Group Modulo n William D. Banks Department of Mathematics, University of Missouri Columbia, MO 65211 USA [email protected] Florian Luca Instituto de Matem´aticas Universidad Nacional Aut´onoma de M´exico C.P. 58089, Morelia, Michoac´an, M´exico [email protected] Igor E. Shparlinski Department of Computing Macquarie University Sydney, NSW 2109, Australia [email protected] Abstract For a positive integer n, we let '(n) and λ(n) denote the Euler function and the Carmichael function, respectively. We define ξ(n) as the ratio '(n)/λ(n) and study various arithmetic properties of ξ(n). AMS-classification: 11A25 Keywords: Euler function, Carmichael function. 1 1 Introduction and Notation Let '(n) denote the Euler function, which is defined as usual by '(n) = #(Z=nZ)× = pν−1(p − 1); n ≥ 1: ν pYk n The Carmichael function λ(n) is defined for all n ≥ 1 as the largest order of any element in the multiplicative group (Z=nZ)×. More explicitly, for any prime power pν, one has pν−1(p − 1) if p ≥ 3 or ν ≤ 2; λ(pν) = 2ν−2 if p = 2 and ν ≥ 3; and for an arbitrary integer n ≥ 2, ν1 νk λ(n) = lcm λ(p1 ); : : : ; λ(pk ) ; ν1 νk where n = p1 : : : pk is the prime factorization of n. Clearly, λ(1) = 1. Despite their many similarities, the functions '(n) and λ(n) often exhibit remarkable differences in their arithmetic behavior, and a vast number of results about the growth rate and various arithmetical properties of '(n) and λ(n) have been obtained; see for example [4, 5, 7, 8, 9, 11, 15].
    [Show full text]
  • On Generalized Carmichael Numbers
    ON GENERALIZED CARMICHAEL NUMBERS YONGYI CHEN AND TAE KYU KIM Abstract. Given an integer k, define Ck as the set of integers n > max(k; 0) such that an−k+1 ≡ a (mod n) holds for all integers a. We establish various multiplicative properties of the elements in Ck and give a sufficient condition for the infinitude of Ck. Moreover, we prove that there are finitely many elements in Ck with one and two prime factors if and only if k > 0 and k is prime. In addition, if all but two prime factors of n 2 Ck are fixed, then there are finitely many elements in Ck, excluding certain infinite families of n. We also give conjectures about the growth rate of Ck with numerical evidence. We explore a similar question when both a and k are fixed and prove that for fixed integers a ≥ 2 and k, there are infinitely many integers n such that an−k ≡ 1 (mod n) if and only if (k; a) 6= (0; 2) by building off the work of Kiss and Phong. Finally, we discuss the multiplicative properties of positive integers n such that Carmichael function λ(n) divides n − k. 1. Introduction In 1860, Fermat proved that if p is a prime number, then p divides ap−1 − 1 for any integer a not divisible by p, a result now known as Fermat’s little theorem. An equivalent formulation is that whenever p is a prime number, p divides ap − a for all integers a. Fermat’s little theorem gives a test for prime numbers.
    [Show full text]
  • Handbook of Number Theory Ii
    HANDBOOK OF NUMBER THEORY II by J. Sandor´ Babes¸-Bolyai University of Cluj Department of Mathematics and Computer Science Cluj-Napoca, Romania and B. Crstici formerly the Technical University of Timis¸oara Timis¸oara Romania KLUWER ACADEMIC PUBLISHERS DORDRECHT / BOSTON / LONDON A C.I.P. Catalogue record for this book is available from the Library of Congress. ISBN 1-4020-2546-7 (HB) ISBN 1-4020-2547-5 (e-book) Published by Kluwer Academic Publishers, P.O. Box 17, 3300 AA Dordrecht, The Netherlands. Sold and distributed in North, Central and South America by Kluwer Academic Publishers, 101 Philip Drive, Norwell, MA 02061, U.S.A. In all other countries, sold and distributed by Kluwer Academic Publishers, P.O. Box 322, 3300 AH Dordrecht, The Netherlands. Printed on acid-free paper All Rights Reserved C 2004 Kluwer Academic Publishers No part of this work may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, microfilming, recording or otherwise, without written permission from the Publisher, with the exception of any material supplied specifically for the purpose of being entered and executed on a computer system, for exclusive use by the purchaser of the work. Printed in the Netherlands. Contents PREFACE 7 BASIC SYMBOLS 9 BASIC NOTATIONS 10 1 PERFECT NUMBERS: OLD AND NEW ISSUES; PERSPECTIVES 15 1.1 Introduction .............................. 15 1.2 Some historical facts ......................... 16 1.3 Even perfect numbers ......................... 20 1.4 Odd perfect numbers ......................... 23 1.5 Perfect, multiperfect and multiply perfect numbers ......... 32 1.6 Quasiperfect, almost perfect, and pseudoperfect numbers ...............................
    [Show full text]
  • A NEW ALGORITHM for CONSTRUCTING LARGE CARMICHAEL NUMBERS 1. Introduction a Commonly Used Method to Decide Whether a Given Numbe
    MATHEMATICS OF COMPUTATION Volume 65, Number 214 April 1996, Pages 823–836 ANEWALGORITHM FOR CONSTRUCTING LARGE CARMICHAEL NUMBERS GUNTER¨ LOH¨ AND WOLFGANG NIEBUHR Abstract. We describe an algorithm for constructing Carmichael numbers N with a large number of prime factors p1,p2,...,pk. This algorithm starts with a given number Λ = lcm(p1 1,p2 1,...,pk 1), representing the value of the Carmichael function λ(−N). We− found Carmichael− numbers with up to 1101518 factors. 1. Introduction A commonly used method to decide whether a given number N is composite is the following easily practicable test: Take some number a with gcd(a, N)=1and N 1 compute b a − mod N.Ifb=1,ourN is composite. Unfortunately, if we get b = 1 we cannot← be sure that N 6is prime, even though this is true in many cases. AcompositenumberNwhich yields b = 1 is called a pseudoprime to the base a.IfsomeNyields b =1forallbasesawith gcd(a, N)=1,thisNis called an absolute pseudoprime or a Carmichael number. These numbers were first described by Robert D. Carmichael in 1910 [3]. The term Carmichael number was introduced by Beeger [2] in 1950. The smallest number of this kind is N =3 11 17 = 561. Studying the properties of absolute pseudoprimes, Carmichael defined· · a function λ(N) as follows: λ(2h)=ϕ(2h)forh=0,1,2, 1 λ(2h)= ϕ(2h)forh>2, 2 λ(qh)=ϕ(qh)forprimesq>2, h1 h2 hr h1 h2 hr λ(q q q )=lcm(λ(q ),λ(q ),...,λ(q )) for distinct primes qj , 1 2 ··· r 1 2 r where ϕ denotes Euler’s totient function.
    [Show full text]
  • Topics in Primitive Roots N
    Topics In Primitive Roots N. A. Carella Abstract: This monograph considers a few topics in the theory of primitive roots modulo a prime p≥ 2. A few estimates of the least primitive roots g(p) and the least prime primitive roots g *(p) modulo p, a large prime, are determined. One of the estimate here seems to sharpen the Burgess estimate g(p)≪p 1/4+ϵ for arbitrarily small number ϵ> 0, to the smaller estimate g(p)≪p 5/loglogp uniformly for all large primes p⩾ 2. The expected order of magnitude is g(p)≪(logp) c, c> 1 constant. The corre- sponding estimates for least prime primitive roots g*(p) are slightly higher. The last topics deal with Artin conjecture and its generalization to the set of integers. Some effective lower bounds such as {p⩽x : ord(g)=p-1}≫x(logx) -1 for the number of primes p⩽x with a fixed primitive root g≠±1,b 2 for all large number x⩾ 1 will be provided. The current results in the literature have the lower bound {p⩽x : ord(g)=p-1}≫x(logx) -2, and have restrictions on the minimal number of fixed integers to three or more. Mathematics Subject Classifications: Primary 11A07, Secondary 11Y16, 11M26. Keywords: Prime number; Primitive root; Least primitive root; Prime primitive root; Artin primitive root conjecture; Cyclic group. Copyright 2015 ii Table Of Contents 1. Introduction 1.1. Least Primitive Roots 1.2. Least Prime Primitive Roots 1.3. Subsets of Primes with a Fixed Primitive Roots 1.4.
    [Show full text]
  • Arxiv:1902.10672V2 [Math.NT] 12 May 2021 Ai Yfra’ Itetheorem
    ON CARMICHAEL AND POLYGONAL NUMBERS, BERNOULLI POLYNOMIALS, AND SUMS OF BASE-P DIGITS BERND C. KELLNER AND JONATHAN SONDOW Abstract. We give a new characterization of the set of Car- michael numbers in the context of p-adic theory, independentlyC of the classical results of Korselt and Carmichael. The characteriza- tion originates from a surprising link to the denominators of the Bernoulli polynomials via the sum-of-base-p-digits function. More precisely, we show that such a denominator obeys a triple-product identity, where one factor is connected with a p-adically defined subset of the squarefree integers that contains . This leads to the definitionS of a new subset ′ of , called the “primaryC Carmichael numbers”. Subsequently, weC establishC that every Carmichael num- ber equals an explicitly determined polygonal number. Finally, the set is covered by modular subsets d (d 1) that are related to S S ≥ the Kn¨odel numbers, where = 1 is a special case. C S 1. Introduction A composite positive integer m is called a Carmichael number if the congruence am−1 1 (mod m) (1.1) ≡ holds for all integers a coprime to m (see [11, Sec. A13], [24, Chap. 2, Sec. IX]). Clearly, if m were a prime, then this congruence would be valid by Fermat’s little theorem. arXiv:1902.10672v2 [math.NT] 12 May 2021 Let “number” mean “positive integer” unless otherwise specified, and let p always denote a prime. A first result on Carmichael numbers is the following criterion (for a proof, see [6] or [8, p. 134]). Theorem 1.1 (Korselt’s criterion [20] (1899)).
    [Show full text]
  • Asymptotics for Primitive Roots Producing Polynomials and Primitive Points on Elliptic Curves
    Asymptotics For Primitive Roots Producing Polynomials And Primitive Points On Elliptic Curves N. A. Carella 1 arXiv:1609.01147v3 [math.GM] 19 Jun 2017 1Copyright 2017 Abstract Let x ≥ 1 be a large number, let f(n) 2 Z[x] be a prime producing polynomial of degree deg(f) = m, and let u 6= ±1; v2 be a fixed integer. Assuming the Bateman- Horn conjecture, an asymptotic counting function for the number of primes p = f(n) ≤ x with a fixed primitive root u is derived in this note. This asymptotic result has the form 1=m πf (x) = #fp = f(n) ≤ x : ordp(u) = p − 1g = (c(u; f) + O (1= log x))) x = log x , where c(u; f) is a constant depending on the polynomial and the fixed integer. Furthermore, new results for the asymptotic order of elliptic primes with respect to fixed elliptic curves E : f(X; Y ) = 0 and its groups of Fp-rational points E(Fp), and primitive points are proved in the last chapters. Mathematics Subject Classifications: Primary 11A07, 11G07; Secondary 11N37; 11N32; and 11B83. Keywords: Primitive Root; Prime Values of Polynomial. Primitive Root Producing Polynomial; Primitive Point; Elliptic Curve. i ii Chapter 0. Abstract Contents Abstract i 1 Introduction 1 1.1 Primitive Root Producing Polynomials . 1 1.2 Elliptic Primitive Points . 2 2 Primes Values of Polynomials 5 2.1 Definitions And Notation . 5 2.2 Polynomials Of One Variable . 5 2.3 Quadratic Polynomials . 7 2.4 Cubic Polynomials . 7 2.5 Quartic Polynomials . 8 2.6 Extreme Densities . 9 2.7 Problems .
    [Show full text]
  • [Math.NT] 14 Sep 2004 Noncototients and Nonaliquots
    Noncototients and Nonaliquots William D. Banks Department of Mathematics, University of Missouri Columbia, MO 65211, USA [email protected] Florian Luca Instituto de Matem´aticas Universidad Nacional Aut´onoma de M´exico C.P. 58180, Morelia, Michoac´an, M´exico [email protected] October 22, 2018 Abstract Let ϕ( ) and σ( ) denote the Euler function and the sum of divisors · · function, respectively. In this paper, we give a lower bound for the number of positive integers m x for which the equation m = n ϕ(n) ≤ − has no solution. We also give a lower bound for the number of m x ≤ for which the equation m = σ(n) n has no solution. Finally, we show − the set of positive integers m not of the form (p 1)/2 ϕ(p 1) for − − − some prime number p has a positive lower asymptotic density. arXiv:math/0409231v1 [math.NT] 14 Sep 2004 1 1 Introduction Let ϕ( ) denote the Euler function, whose value at the positive integer n is · 1 ϕ(n)= n 1 . − p p n Y| An integer of the form ϕ(n) is called a totient;a cototient is an integer in the image of the function f (n)= n ϕ(n). If m is a positive integer for which c − the equation fc(n)= m has no solution, then m is called a noncototient. An old conjecture of Erd˝os and Sierpi´nski (see B36 in [7]) asserts the existence of infinitely many noncototients. This conjecture has been settled by Browkin and Schinzel [1], who showed that if w 3 is an odd integer satisfying certain arithmetic properties, then m = 2ℓw≥is a noncototient for every positive integer ℓ; they also showed that the integer w = 509203 is one such integer.
    [Show full text]
  • Arxiv:2007.10044V2 [Quant-Ph] 9 Dec 2020 Algorithms for Reducing Perfect Powers Z = Q to Q: a Simple Option Is to Test If Z Is an Integer for Some D ∈ [2, Blog Zc]
    On completely factoring any integer efficiently in a single run of an order finding algorithm Martin Eker˚a1,2 1KTH Royal Institute of Technology, Stockholm, Sweden 2Swedish NCSA, Swedish Armed Forces, Stockholm, Sweden December 10, 2020 Abstract We show that given the order of a single element selected uniformly at random from ∗ ZN , we can with very high probability, and for any integer N, efficiently find the complete factorization of N in polynomial time. This implies that a single run of the quantum part of Shor's factoring algorithm is usually sufficient. All prime factors of N can then be recovered with negligible computational cost in a classical post-processing step. The classical algorithm required for this step is essentially due to Miller. 1 Introduction In what follows, let n Y ei N = pi i = 1 be an m bit integer, with n ≥ 2 distinct prime factors pi, for ei some positive exponents. Let an algorithm be said to factor N if it computes a non-trivial factor of N, and to completely factor N if it computes the set fp1; : : : ; png. Let φ be Euler's totient function, λ be 0 ∗ the Carmichael function, and λ (N) = lcm(p1 − 1; : : : ; pn − 1). Furthermore, let ZN denote the multiplicative group of ZN , the ring of integers modulo N, and let ln and log be the natural and base two logarithms, respectively. Denote by [a; b] the integers from a up to an including b. Throughout this paper, we shall assume N to be odd for proof-technical reasons. This does not imply a loss of generality: It is easy to fulfill this requirement by using trial division.
    [Show full text]
  • Values of the Euler and Carmichael Functions Which Are Sums of Three Squares
    INTEGERS: ELECTRONIC JOURNAL OF COMBINATORIAL NUMBER THEORY x (200x), #Axx VALUES OF THE EULER AND CARMICHAEL FUNCTIONS WHICH ARE SUMS OF THREE SQUARES Paul Pollack1 Department of Mathematics, University of Illinois, Urbana, Illinois 61801, USA [email protected] Received: , Revised: , Accepted: , Published: Abstract Let ' denote Euler's totient function. The frequency with which '(n) is a perfect square has been investigated by Banks, Friedlander, Pomerance, and Shparlinski, while the frequency with which '(n) is a sum of two squares has been studied by Banks, Luca, Saidak, and Shparlinski. Here we look at the corresponding three-squares question. We show that '(n) is a sum of three squares precisely seven-eighths of the time. We also investigate the analogous problem with ' replaced by Carmichael's λ-function. We prove that the set of n for which λ(n) is a sum of three squares has lower density > 0 and upper density < 1. 1. Introduction Let '(n) denote Euler's totient function, defined as the size of the unit group (Z=nZ)×.A theorem of Banks et al. [2, pp. 40, 43] asserts that for any > 0 and all large x, x x0:7038 ≤ #fn ≤ x : '(n) = g ≤ ; (1) L(x)1− where L(x) = exp(plog x log log log x): 2 We write \" here and below to denote a generic member of the set fn : n = 0; 1; 2; 3;::: g of perfect squares. The same authors present a heuristic argument that the left-hand side of (1) can be replaced with x1−. An investigation into the corresponding question for sums of two squares appeared the following year, where it was shown [4, p.
    [Show full text]